[Note: this was something I wrote a couple of weeks ago. It still holds up.]

While it may feel like an eternity in the cyber world, it is worth reminding ourselves that we remain in its early days, still accumulating examples of its use, its effects, and its utility—or harm.  Rather than consider individual incidents, 2022 offers two broad case studies that bear some further examination. 

The first is, perhaps inevitably, Ukraine.  There, the anticipated Russian equivalent of a Pearl Harbour-style attack headlining the invasion failed to materialise, though there is evidence that attacks intensified beforehand. 

Cyber continues to play a role in the broader Russian offensive—infrastructure has been affected, individuals and institutions attacked, and misinformation is evidently part of a reasonably successful propaganda war. Ukraine mobilised its own IT Army and tech sector in defence.  Nonetheless, cyber’s covert and opportunistic nature makes judgments on its effectiveness difficult.

Nor is cyber magic, untethered from the normal world: it relies on an underlying physical infrastructure.  Speculatively, it may be that Russia, expecting a quick win in Ukraine, wanted to preserve Ukrainian infrastructure for its own use.  If so, Russia’s recent targeting of energy and communications infrastructure—using missiles and drones, not cyber—suggests that is no longer the case. 

A broader lesson seems to be that cyber does not translate well on to the battlefield, whether to ‘soften up’ targets, incapacitate enemy capability, or generate direct kinetic effects.  Unless, of course, that is assisted through bad practice. The case in point is the Russian military’s poor operational security (opsec)—likely attributable to inadequate training, discipline, systems support and logistics—which allowed direct targeting by Ukrainian forces.

Still, battlefield commanders are likely to be leery of relying on cyber: its utility is uncertain, and once in the wild, tools and tactics can be used with impunity against your own. Cyber’s application would seem to lie in the broader social and political sphere, aimed at public support, governance arrangements, institutional and system trust, and decision-making.

That’s reflected in the second case: Australia. There, the issue is not military application, but a rolling drumbeat of data breaches and criminal activity set against a slower, more insidious, shaping of the security environment.  

The low cost of entry, coupled with the prospect of lucrative return, a comparatively small chance of punishment, and a wealth of potential targets makes ransomware attacks particularly attractive.  Recent attacks exploited inadequate system hygiene, maintenance, and discipline: a misconfigured API, a basic error, in the Optus case; compromised credentials, suggesting weak identity and access controls, in the Medibank case.

While organisations clearly need to up their game, the reality is that the pace of change, an ever-expanding attack surface as devices and applications are continuously added, and excessive data exuberance, make the task of protection near impossible. In short, individuals, organisations and governments exist in a perpetual state of vulnerability and exposure. 

The attraction of those opportunities is not restricted to criminal elements, of course. In more illiberal countries, political actors and government find the temptation to target their own populations irresistible.  It is that this level of individuals and companies that there is a coercive element—essentially blackmail—to cyber. 

At the level of nation-states, however, cyber exerts considerably less coercive traction.  What matters to individuals does not translate easily into political outcomes at the nation-state level—unless, of course, the individual targeted is a decision-maker. Further, the infinite, if fleeting, opportunities afforded cyber, its comparatively low cost, covert nature and the use of proxies mean that deterrence, too, has little traction. 

Instead, cyber’s effect is corrosive and cumulative. Speculation about how China may use cyber as a ‘Pearl Harbour’ style assault on Taiwan, for example, overlooks what is already underway.  Cyber forms part of China’s efforts to distract attention, corrupt foreign officials, steal intellectual property, undermine regional cooperation, and sow uncertainty.  In doing so, it shapes the security environment to its advantage. 

Australia’s experience illustrates the everyday challenge of cyber for governments. A balance must be struck between the developing an immediate response to criminal opportunism, ensuring the essential but mundane, technical and often costly work of good system practice and maintenance, and paying attention to the hard-to discern, typically ambiguous corrosion of the broader security environment. 

The empirical database on cyber is still under development.  Still, one lesson is that, at this stage, cyber seems to have limited application on the battlefield—unless militaries expose themselves through poor opsec. 

Effectiveness at the ‘high’ strategic level is inconclusive—generally, cyber corrodes stability and security, yet that may also be more a property of the technology environment rather than the result of directed purpose. It is that property that’s being exploited at the ‘low’ strategic level, in the hands of criminals as a tool of blackmail and obfuscation. 

It remains early days: we will not be short of opportunities to learn more.  The war in Ukraine will continue to generate examples. And the Indo-Pacific, with its vibrant technology and economic growth, its competing interests, illiberal regimess and great power interests, is as much of a petri dish for cyber and its ecosystem.